[Snort-users] RE: NAT Penetration Techniques

Jeff DuVall abyssleaper at ...125...
Wed Mar 6 10:34:07 EST 2002


While I'm not an expert at NAT/Penetration/SNORT, I might be able to shed 
some light for you.  I have a similar setup where my Firewall NAT's all 
connections to the outside world. For example, I might have 10 connections 
to the outside world from the following 10 imaginary internal IP's:

192.168.1.1
192.168.1.2
..
192.168.1.10

and they will all appear to the outside world as 198.6.1.1 (if that is my 
public NAT ip)  You firewall keeps track of which internal IP's have 
initiated a connection, and routes the traffic to the correct workstation, 
even though you have NAT in place.  The reason you are seeing these alerts 
is due to the fact that your firewall is re-routing the packets to the 
correct IP, and your internal Snort is giving you the alert on the payload 
contained in that packet.  The external sources dont' have any idea what 
your internal addresses, and couldn't use  them unless they had access to 
your internal network.

On my system, the majority of the shellcode alerts are false, as the 
signature is picking up on HTML code from normal web traffic.

Just my thoughts here..

-Jeff

<..snip..>
>From: "Basil Saragoza" <snortlst at ...125...>
>To: <snort-users at lists.sourceforge.net>
>Date: Tue, 5 Mar 2002 18:24:30 -0500
>Subject: [Snort-users] NAT penetration techniques
>
>I'm not really sure this forum is a plcae to ask those questions, but 
> >maybe
>you can give me a hint...
>I run 2 snort sensors: first sniffs traffic coming to public ip of the
>firewall, second sniffs the lan ip of the firewall, so I can see which
>traffic comes from the internet and which one is actually penetrated 
> >inside
>my lan through firewall.
>
>I shellcode atacks and other icmp activity that are directed to >computers
>inside my lan - some workstations let'say. Some of those workstations >have
>dhcp ip address and some have static (from 10.0.0.x range).Those
>workstations ip addresses use hidden NAT when they go to internet and
>outside worls has knowledge of the hidden nat ip address but not of teh
>particular 10.something address.That's my understanding.....
>In snort I see attackes directed to 10.0.0.x addresses.
>HOW OUTSIDE WORLD ATTACKERS CAN KNOW WHICH IP ADDRESSES I USE >INTERNALLY 
>AND
>HOW CAN THEY ATTACK THOSE WORKSTATIONS, DO THEY BYPASS NAT SOMEHOW?
>thx.


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-users mailing list